Why integrating ISO 9001 and ISO 27001 works

In 2018, ISO 27001 is expected to have its’ biggest year yet with GDPR Legislation now in force across Europe. Read our guide to demonstrating GDPR compliance to find out more.

In 2016 ISO 27001 Certification increased by 20% across Europe compared 2015 (Source ISO.org). The management of data in terms, how it is used but also how it is protected are now becoming key areas of concern for businesses.

For many organisations that already implement ISO 9001 and are now choosing to implement ISO 27001, the challenge for them is how do we make this all work in sync? A common practice we see with organisations is they treat both management systems as separate projects but in fact, the best way to implement these standards is to integrate them as one system which will meet all the requirements.

By implementing an integrated approach your implementation team will save time and use less resources. It will also decrease the effort of maintaining the system and achieving continual compliance with both standards. The big plus will be it can save you money as integrated standards as audited as one which means Certification bodies will have to visit your site less often each year resulting in lower assessment costs.

Don’t repeat yourself

Traditionally ISO 9001 (Quality) and ISO 14001 (Environmental) have been the more popular integrated standard, ISO 9001 and ISO 27001 actually have many similar traits and can be fully integrated. Both standards focus on the internal/external issues relevant to the company, but from different perspectives. Both standards follow the Annex SL structure which means there are similarities in what the documentation and procedures required to effectively implement the system.

When integrating the two standards, you will reduce man-hours and resources. By ensuring your implementation team have a clear understanding of both standards and understand where the standards overlap. Your implementation project should be based not only on the current state of your organisation, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit. Some of the most important places where you can speed up the implementation are the following common requirements of both standards.

1. Interested Parties and their Requirements –

The organisation will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created.

2. Responsibility and Authority to be identified –

The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way.

3. Competence, Awareness, Communication, Control of System Documents and Records –

All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well – and, they can be addressed in the same way and at the same time.

4. Internal Audit and Management Review –

Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted is the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately.

5. Both require systems for nonconformity and corrective actions –

The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.

With all these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards. The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review as well as the inputs will be different, and the same is with most of the above-mentioned common clauses.

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences which are mostly present in clauses 6 and 8. ISO 27001 adds the following to the IMS:

1. Information security risk assessment –

The organisation needs to develop a methodology for the identification and evaluation of information security risks. This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001 since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001.

2. Information security risk treatment –

This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organisation to apply one or more information security controls listed in Annex A of ISO 27001. Does

Do Integrating systems provide ROI

By integrating the two management systems, there are many synergies that allow for combined resources to save time (up to 30%) and money on maintaining and improving the management system.

With a holistic management system approach that embodies international best practice, organisations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities. In addition, by integrating the management of quality and information security, organisations can demonstrate both the quality and security of their processes, as well as achieve a significant competitive advantage through improved organisational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability.

Emma Orford
Emma Orford

Keep up to date with our latest news!


Related ISO Certifications

ISO 9001 - Quality Management

ISO 9001

Quality Management System ISO 9001 is the internationally recognised global standard for Quality Management Systems. It confirms an organisation’s commitment

ISO 14001 - Environmental Management System

ISO 14001

Environmental Management System ISO 14001 standard is the global standard for organisations wanting to demonstrate their environmental credentials. It

ISO 45001 - Occupational Health and Safety

ISO 45001

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for an occupational health and safety

ISO 50001 - Energy Management Systems

ISO 50001

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve their energy management

ISO 27001 - Information Security Management Systems

ISO 27001

Information Security Management Systems ISO 27001 is the international standard for managing risks related to the security

ISO 22301 - Business Continuity Management Systems

ISO 22301

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. It provides a framework that

ISO 20000-1 - IT Service Management Systems

ISO 20000-1

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality management specifically focused on IT

ISO 13485 - Medical Device

ISO 13485

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements of a quality management system

ISO 27701 - Personal Information Management System

ISO 27701

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as

Personal Information Management System - BS 10012

BS 10012

Personal Information Management System BS 10012 provides a framework for a Personal Information Management System standard, helping you maintain

ISO 27017 - Clour data protection

ISO 27017

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection

Cyber Essentials - Certification Europe

Cyber Essentials

Cyber Essentials Cyber Essentials is a globally recognised IT security standard developed by the UK’s National Cyber Security Centre, which is

ISO 20121 - Event sustainability management systems

ISO 20121

Event Sustainability Management Systems ISO 20121 is an internationally recognised standard for event sustainability management systems. It provides organisations


Recent Insights